From 985af94c4580fbdd3ec733082c285e70edeb86ea Mon Sep 17 00:00:00 2001 From: Andrew W Elble Date: Fri, 17 Apr 2020 11:38:22 -0400 Subject: [PATCH] singularity: new variants to enable non-suid and non-network builds (#16088) Defaults are left as they are currently --- .../builtin/packages/singularity/package.py | 55 +++++++++++-------- 1 file changed, 32 insertions(+), 23 deletions(-) diff --git a/var/spack/repos/builtin/packages/singularity/package.py b/var/spack/repos/builtin/packages/singularity/package.py index c33b6a3202..8931e270da 100644 --- a/var/spack/repos/builtin/packages/singularity/package.py +++ b/var/spack/repos/builtin/packages/singularity/package.py @@ -35,6 +35,8 @@ class Singularity(MakefilePackage): version('3.2.1', sha256='d4388fb5f7e0083f0c344354c9ad3b5b823e2f3f27980e56efa7785140c9b616') version('3.1.1', sha256='7f0df46458d8894ba0c2071b0848895304ae6b1137d3d4630f1600ed8eddf1a4') + variant('suid', default=True, description='install SUID binary') + variant('network', default=True, description='install network plugins') depends_on('go') depends_on('libuuid') depends_on('libgpg-error') @@ -82,7 +84,12 @@ def build_directory(self): # Hijack the edit stage to run mconfig. def edit(self, spec, prefix): with working_dir(self.build_directory): - configure = Executable('./mconfig --prefix=%s' % prefix) + confstring = './mconfig --prefix=%s' % prefix + if '~suid' in spec: + confstring += ' --without-suid' + if '~network' in spec: + confstring += ' --without-network' + configure = Executable(confstring) configure() # Set these for use by MakefilePackage's default build/install methods. @@ -127,33 +134,35 @@ def _build_script(self, filename, variable_data): @run_after('install') def build_perms_script(self): - script = self.perm_script_path() - chown_files = ['libexec/singularity/bin/starter-suid', - 'etc/singularity/singularity.conf', - 'etc/singularity/capability.json', - 'etc/singularity/ecl.toml'] - setuid_files = ['libexec/singularity/bin/starter-suid'] - self._build_script(script, {'prefix': self.spec.prefix, - 'chown_files': chown_files, - 'setuid_files': setuid_files}) - chmod = which('chmod') - chmod('555', script) + if self.spec.satisfies('+suid'): + script = self.perm_script_path() + chown_files = ['libexec/singularity/bin/starter-suid', + 'etc/singularity/singularity.conf', + 'etc/singularity/capability.json', + 'etc/singularity/ecl.toml'] + setuid_files = ['libexec/singularity/bin/starter-suid'] + self._build_script(script, {'prefix': self.spec.prefix, + 'chown_files': chown_files, + 'setuid_files': setuid_files}) + chmod = which('chmod') + chmod('555', script) # Until tty output works better from build steps, this ends up in # the build log. See https://github.com/spack/spack/pull/10412. @run_after('install') def caveats(self): - tty.warn(""" - For full functionality, you'll need to chown and chmod some files - after installing the package. This has security implications. - For details, see: - https://sylabs.io/guides/2.6/admin-guide/security.html - https://sylabs.io/guides/3.2/admin-guide/admin_quickstart.html#singularity-security + if self.spec.satisfies('+suid'): + tty.warn(""" + For full functionality, you'll need to chown and chmod some files + after installing the package. This has security implications. + For details, see: + https://sylabs.io/guides/2.6/admin-guide/security.html + https://sylabs.io/guides/3.2/admin-guide/admin_quickstart.html#singularity-security - We've installed a script that will make the necessary changes; - read through it and then execute it as root (e.g. via sudo). + We've installed a script that will make the necessary changes; + read through it and then execute it as root (e.g. via sudo). - The script is named: + The script is named: - {0} - """.format(self.perm_script_path())) + {0} + """.format(self.perm_script_path()))